Question
Here is a sample of my web application. Does it vulnerable to Cross-Site Request Forgery (CSRF) Attack? How can i prevent from CSRF?
here is my new.jsp for adding new user.
https://stackoverflow.com/questions/23152178
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
Russian <FORM NAME="Form" METHOD="post" ACTION="controller?event=PostNewUser">
<TABLE WIDTH="655" BORDER="0" CELLPADDING="2" CELLSPACING="0" class="gray_background" align="center" >
<TR><TD colspan="4" CLASS="text" align="left"><strong>Personal Details</strong></TD></TR>
<tr>
<td colspan="4">
<table >
<TR>
<TD width="62" align="right" CLASS="text">Code : </td>
<td width="144"><INPUT NAME="code" TYPE="text" id="code" VALUE="N" CLASS="password" maxlength="9"></td>
<td width="66" align="right" CLASS="text">Name : </td>
<TD width="144" align="left" CLASS="text"><input name="name" type="text" id="name" value="" class="password" maxlength="80">
</TD>
<TD width="44" align="right" CLASS="text">Email : </TD>
<TD width="152" align="left" CLASS="text"><input name="email" type="text" id="email" value="" class="password" maxlength="70"></TD>
</TR>
<TR>
<TD colspan="4" CLASS="text" align="center"><INPUT NAME="submit" TYPE="submit" class="submit_button" VALUE="Create" ></TD>
</TR>
</TABLE>
</FORM>
And here is my servlet.
public class PostNewAgentEventHandler extends EventHandlerBase {
protected void process(HttpServletRequest request,
HttpServletResponse response) throws Exception {
String name = request.getParameter("name").trim();
String agentCode = request.getParameter("code").trim();
String email = request.getParameter("email").trim();
}
}
Solution
You might consider using OWASP CSRFGuard. It's a Filter for servlet applications designed to prevent CSRF attacks.
Their web site design isn't brilliant. You can find the Installation Guide, User Manual and other links by scrolling down to the bottom of the page.
